[geekcrypt] Re: Introducing Peter Trei

  • From: Stephen R Guglielmo <srguglielmo@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Thu, 5 Jun 2014 22:30:13 -0400

On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote:
> I've just joined the list.
> I hope to contribute as a developer and architect; I spent 10 years
> developing cryptographic products at RSA Security, among other things.

Welcome! Right now, development is on GitHub. I can give you rw access
if you provide me with your username.

> Have we cleared what want to do with a lawyer knowledgeable in the field?

Yeah, this needs to happen. I did a tiny bit of research in the last
hour and found some information on the subject. The more I read about
it, the more important it becomes known to me that we need to give
this careful thought and consideration. www.cryptolaw.org seems to
have a lot of information.

OpenBSD (and thus OpenSSH) are hosted (developed?) in Canada [1],
however, as you mentioned, they have a legal entity backing the
project. It seems that a significant number of countries have signed
the Wassenaar Arrangement [2], which places restrictions on exports,
including Canada (this confuses me a bit in the case of OpenBSD/SSH).
The Wassenaar Arrangement limits the bit size of symmetric and
asymmetric exports, but then allows a "personal use" exception (which,
to me, could potentially lead to arbitrary and capricious legal
decisions). I'm not sure if this affects just where the project is
hosted/compiled, or where the developers reside, or both.

Going off that website (which is probably a bit outdated), I compiled
a list of countries that have *no* restrictions on cryptography
-Brazil (working on laws?)
-Malaysia (has some "decrypt during a legal search" laws)

There are a few others, but they had some questionable comments/laws
listed. That was just a quick summary of the information I found on
the subject. A lawyer needs to be consulted though. I'm not sure how
to go about doing that. Actually, I just googled "cryptography lawyer"
and found a firm [3] that has offices in Philadephia and Wilmington
(both cities are very close to me).

[1] http://www.openbsd.org/crypto.html
[2] http://www.cryptolaw.org/cls2.htm#Wassenaar
[3] http://www.panitchlaw.com/

> I strongly suggest that someone on this project contact a team with similar
> concerns - for example, OpenSSL or OpenSSH, so we can leverage their
> experience, or we should talk to the EFF. I don't have strong personal
> contacts in those organizations, but perhaps someone else here does.
> A non-anonymous international team developing strong cryptographic products
> for general use needs to tread carefully, in today's climate.
> 3. Do we need to post a Warrant Canary? Do we need one for each team member?
> Should we add them to emails? Example at
> http://www.rsync.net/resources/notices/canary.txt

I think Warrant Canaries are essential for each of us. That was a
constant source of any general mistrust towards TrueCrypt.

> Peter Trei

Nice to meet you Peter! And thank you!

Other related posts: